@blamejs/exceptd-skills 0.12.23 → 0.12.24

package/lib/verify.js

@@ -621,6 +621,14 @@ function loadExpectedFingerprintFirstLine(pinPath) {
     // as UTF-8 mojibake — the first line never matches a live fingerprint
     // and the operator sees no signal. Refuse them; re-save as UTF-8.
     if ((b0 === 0xFF && b1 === 0xFE) || (b0 === 0xFE && b1 === 0xFF)) return null;
+    // UTF-16BE-without-BOM defense: a pin file saved as UTF-16BE on a host
+    // whose editor stripped the BOM (or never wrote one) decodes as
+    // 0x00 <printable ASCII> 0x00 <printable ASCII>... The leading NUL byte
+    // would survive into the utf8 string and the first-line compare would
+    // never match a SHA256:... fingerprint. Detect "00 XX" where XX is
+    // printable ASCII (0x20-0x7E) and refuse — same remediation: re-save
+    // the file as UTF-8.
+    if (b0 === 0x00 && b1 >= 0x20 && b1 <= 0x7E) return null;
   }
   let raw = buf.toString('utf8');
   if (raw.length > 0 && raw.charCodeAt(0) === 0xFEFF) raw = raw.slice(1);
@@ -747,10 +755,18 @@ if (require.main === module) {
     );
   } else if (pinResult.status === 'mismatch') {
     if (pinResult.rotationOverride) {
-      console.warn(
-        `[verify] WARN: live key fingerprint ${pinResult.actual} differs from pin ` +
-        `${pinResult.expected}. KEYS_ROTATED=1 set — accepting rotation. ` +
-        `Update keys/EXPECTED_FINGERPRINT to lock the new pin.`
+      process.emitWarning(
+        `live key fingerprint ${pinResult.actual} differs from pin ${pinResult.expected}; ` +
+        `KEYS_ROTATED=1 accepted. Update keys/EXPECTED_FINGERPRINT to lock the new pin.`,
+        { code: 'EXCEPTD_KEYS_ROTATED_OVERRIDE' }
+      );
+      // Mirror to stderr unconditionally: NODE_NO_WARNINGS=1 silences
+      // process.emitWarning, but a key-rotation override is a
+      // security-relevant event that must surface in the operator's
+      // terminal even when warnings are muted.
+      console.error(
+        `[verify] KEYS_ROTATED=1 override accepted; live fingerprint ${pinResult.actual} ` +
+        `differs from pin ${pinResult.expected}. Update keys/EXPECTED_FINGERPRINT to lock the new pin.`
       );
     } else {
       console.error(

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.12.23",
+  "version": "0.12.24",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -52,7 +52,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "hRGoOFHglwqtRzGDiNxOIFk7QuDvFvUgsCxfGQ8cNB+DUgUFFAwTpbmX2ssP42LzbmT2GXo+h3RKDYQ1TGJdDw==",
-      "signed_at": "2026-05-15T07:53:22.483Z",
+      "signed_at": "2026-05-15T18:43:22.156Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -116,7 +116,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "Rz5jS554rDryT6FPVZy0PwHMCYoJQQhhNDNI9rvOptjDbsnnKtZkpVXlKke5OKmLu5fHEBaNPg856qMIZFq+Ag==",
-      "signed_at": "2026-05-15T07:53:22.485Z",
+      "signed_at": "2026-05-15T18:43:22.158Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -179,7 +179,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "goSMEVE6QbfcdqCEgq324TNy6rZ2mWwPA28gMPvojy8ZzGFng87hLdyvKhDMo4S3KTK1D6CaTBksAzZw4Go8Cg==",
-      "signed_at": "2026-05-15T07:53:22.486Z",
+      "signed_at": "2026-05-15T18:43:22.159Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -225,7 +225,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "cPRRTsNQT1MYR3cE5O3KdC4MB037EMc0fsMIbOyfOv16sR+DkiXmAhQOjlIC47HngHz3vhLI+rbqItN91VWpBg==",
-      "signed_at": "2026-05-15T07:53:22.486Z"
+      "signed_at": "2026-05-15T18:43:22.160Z"
     },
     {
       "name": "compliance-theater",
@@ -256,7 +256,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "79NrFMRsqGsipWeE5ETQSVICGO4BjTJYgyir+PSaNVFpkLqLcwZd8Dr1V7iwX0H0fXFL3WpPz35gtrYCEG32BQ==",
-      "signed_at": "2026-05-15T07:53:22.487Z"
+      "signed_at": "2026-05-15T18:43:22.160Z"
     },
     {
       "name": "exploit-scoring",
@@ -285,7 +285,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "HSU+zjDZBGEVpPARxe0kw//H5Uz5cGrPIKOZWGcJybEl4MgxTsWiQd9qxCyuWoVSRE7mZFO7YwUCn67W0BiODw==",
-      "signed_at": "2026-05-15T07:53:22.487Z"
+      "signed_at": "2026-05-15T18:43:22.160Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -322,7 +322,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "4mstnPFMNhiorB7iEwqb7Jh+OCG79Mhqt2h/RwL5JbnAIPBi0Fcv0JBhQ5msEaHO4gNnpcBrdMfiDxLDwetZCw==",
-      "signed_at": "2026-05-15T07:53:22.487Z",
+      "signed_at": "2026-05-15T18:43:22.161Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -379,7 +379,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "FjdIy9NqQpSSMhIbyv5WhnJKrVLhO98iBfQ0AHqXw6yqXdVoWucyr729Jwhelq40oAkiBzbXi9RoVo63DHJwDw==",
-      "signed_at": "2026-05-15T07:53:22.488Z",
+      "signed_at": "2026-05-15T18:43:22.161Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -414,7 +414,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "DxfXhSyoAGUo1emHh0uIIcg324ZreBYxmFdBDVAKOOuPmMlfN4RqNc/JGDSfVmMv5CjgYCUcSmkcYB0A5lk0Cg==",
-      "signed_at": "2026-05-15T07:53:22.488Z",
+      "signed_at": "2026-05-15T18:43:22.161Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -442,7 +442,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "xALyn4ZC71A8oxFV18AZgTvLbggo5erRpMOwVJToNFZ0zdf1GF8O0dUBDxqKmEGfp5qDytR1mgyPw8TFwahBAg==",
-      "signed_at": "2026-05-15T07:53:22.489Z"
+      "signed_at": "2026-05-15T18:43:22.162Z"
     },
     {
       "name": "global-grc",
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "7yVjZkanFMKDQqXdX4B/7oLc2Rz72xHC1zscYd8F/+e5UAbR7ikK8Bn5EKZt3aBEOhHPAviSQNCMxpZD9U00CA==",
-      "signed_at": "2026-05-15T07:53:22.489Z"
+      "signed_at": "2026-05-15T18:43:22.163Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -501,7 +501,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "OsoKfE75/MJQXdBKXfosPDE701t9kWHRAOx/1iCS/z5FJCWgcUGJJ0IvMbno2BT3O1UB5rL6QDCHK9arRyxLBQ==",
-      "signed_at": "2026-05-15T07:53:22.490Z"
+      "signed_at": "2026-05-15T18:43:22.163Z"
     },
     {
       "name": "pqc-first",
@@ -553,7 +553,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "V+qn5FqUlETfsEjvvi6jZGuQdqLFtFejfgPA6KSYxSlBXBTbOBXP3BGk5S+ba9akIzgbKh1j9VGB1MqsIt56DA==",
-      "signed_at": "2026-05-15T07:53:22.490Z",
+      "signed_at": "2026-05-15T18:43:22.163Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -600,7 +600,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "UayHLLWXAkhnLPaPRsgDpAyE8FGk1tuG1/DYyhw84Uv4tfCKXMamsAhXHOyMIosQfsJq5ZHYVXZz0bYNpnlvDw==",
-      "signed_at": "2026-05-15T07:53:22.490Z"
+      "signed_at": "2026-05-15T18:43:22.164Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -637,7 +637,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "zjq6ACAHD46xvhvQJKlrCPh5xDCuBuIWBI+QJB8RxcudpC7p7I1pqv+BY8DZdsAgU4tquCU8KC+xlduMIk3/DQ==",
-      "signed_at": "2026-05-15T07:53:22.491Z",
+      "signed_at": "2026-05-15T18:43:22.164Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -672,7 +672,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "/lGgWehCMQUXjI6w4FUa+5wrbyRnct+txvVcXA+D2/ZEkoJKh+J/psO3j5HPf7Hpv+Y5SmkH71CoO+9qilyVDQ==",
-      "signed_at": "2026-05-15T07:53:22.491Z"
+      "signed_at": "2026-05-15T18:43:22.164Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -743,7 +743,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "rh+/cr+wTcEmBwrGscBni/jXpxjjYP91pUKDFIGkahZpw+nghCM/3aLKFf5RFRnl3JKTyBRywIrYhUH1YuSlDw==",
-      "signed_at": "2026-05-15T07:53:22.491Z"
+      "signed_at": "2026-05-15T18:43:22.164Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -803,7 +803,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "+ELdD+1AY5DymBitH7wU65CS60NY1nDoLowJAFn7cE5Gr/5jy9BTkyxsm7PEXaSlXWMOkTf/HQ+uyzyxUVD/Bw==",
-      "signed_at": "2026-05-15T07:53:22.492Z"
+      "signed_at": "2026-05-15T18:43:22.165Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -878,7 +878,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "/BCBGUVjGs1RZzqXfElxBWB8UoD4+MY2G1YekdWsTDbMcHvt3NZJf0/JcqdYHOsEhFQ21NEz3w3+6tmQ8htKDw==",
-      "signed_at": "2026-05-15T07:53:22.492Z"
+      "signed_at": "2026-05-15T18:43:22.165Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -955,7 +955,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "mySOkGScsNPtEZcHg42EKcvUSBzADIB9mSlNe0L1yPllrB/83ypBj6cCERRw9ql+rtrNxapyc6Do+nCz7E5rDg==",
-      "signed_at": "2026-05-15T07:53:22.492Z"
+      "signed_at": "2026-05-15T18:43:22.165Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1012,7 +1012,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "XZigwq8X/csfrdG10O6Q1V5q0zUqSQGd3QrjRKkZ4fkaodG4mZahYuIQqxc8rU9jjtGAm9LtBXYB+I5csqj9Bw==",
-      "signed_at": "2026-05-15T07:53:22.493Z"
+      "signed_at": "2026-05-15T18:43:22.166Z"
     },
     {
       "name": "identity-assurance",
@@ -1079,7 +1079,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "k0HrsZMBxiPWB1jl4dRwhv/R5IsqbZ+SLDv1Jx3/sRl51JyXjtm8vyogTNhSwsl5/IkaRakqIPJFRFRl5h/9CQ==",
-      "signed_at": "2026-05-15T07:53:22.493Z"
+      "signed_at": "2026-05-15T18:43:22.166Z"
     },
     {
       "name": "ot-ics-security",
@@ -1135,7 +1135,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "oHxjumOhk8y86WcwhAX8sSWIlPzt60KfTMn4DCJLeRrrQd5+i54fVADKAdZ3vOqfDN+DexO0uX4f5dLPtacRCQ==",
-      "signed_at": "2026-05-15T07:53:22.493Z"
+      "signed_at": "2026-05-15T18:43:22.166Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1187,7 +1187,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "UCiNjncvhkZItmLQA/Sm1/NCsOiLMwdCjfUw+067v4NIxhaMMaqRrAeD3KgMyEtov7m2Hq2kfwYSt5+DQsYDCQ==",
-      "signed_at": "2026-05-15T07:53:22.494Z"
+      "signed_at": "2026-05-15T18:43:22.167Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1237,7 +1237,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "V9kl8Cf8UMjNFyn3D/fSyhWHLeXWlx3WV/jT9jdF9SrjfDqymimuTt2o91cZ2FOEJndAH9V0JGXB13Ohz8K4CQ==",
-      "signed_at": "2026-05-15T07:53:22.494Z"
+      "signed_at": "2026-05-15T18:43:22.167Z"
     },
     {
       "name": "webapp-security",
@@ -1311,7 +1311,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "CgqHC9W0PUKbTMUR+K2lG/Dq8EAQGBKb07o8IqIDcn5Q9zxiIzE9kJg8AL+zN8z0vTkZSAIv2O+FfErNNkMvBw==",
-      "signed_at": "2026-05-15T07:53:22.494Z"
+      "signed_at": "2026-05-15T18:43:22.167Z"
     },
     {
       "name": "ai-risk-management",
@@ -1361,7 +1361,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "P2D++lB5hea3oi2vl9mf8C7N+E7zASoqt1v4tjKxtaTeb+U0UARgMOaZsoK/sO9TT/PG/au14Rl4EFxv+Xi1BA==",
-      "signed_at": "2026-05-15T07:53:22.494Z"
+      "signed_at": "2026-05-15T18:43:22.168Z"
     },
     {
       "name": "sector-healthcare",
@@ -1421,7 +1421,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "BDuLcpTeFp2BNSf1q4rYOhYKNhlgd3o5RZ0Uw9xW5olyYxPbZSgqekQ+6Ggaec09s7y6sqR37GS0vuAMdbrdDQ==",
-      "signed_at": "2026-05-15T07:53:22.495Z"
+      "signed_at": "2026-05-15T18:43:22.168Z"
     },
     {
       "name": "sector-financial",
@@ -1502,7 +1502,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "4IUJePr6XbE1Ns+cPvEFAVgrwdHLImuxdPYiilurxM2SmJym1itRC1prFMcuT6Kh6e1clYXwlzflcKm/eikyDA==",
-      "signed_at": "2026-05-15T07:53:22.495Z"
+      "signed_at": "2026-05-15T18:43:22.168Z"
     },
     {
       "name": "sector-federal-government",
@@ -1571,7 +1571,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "nMsyJ+rp5fM8/VjC7zsZyDjOC4hpxB+noT1VX7W0HBlq5t3SY56cwOGApwES/kBcCuf4qexKY376OxUr93zvCQ==",
-      "signed_at": "2026-05-15T07:53:22.496Z"
+      "signed_at": "2026-05-15T18:43:22.169Z"
     },
     {
       "name": "sector-energy",
@@ -1636,7 +1636,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "L1moEqEGkBkqY/3ohJcfqrlJn40UurDCyb2MOP/IwTAeZD+QbVZ17/drdsydkJ6qSXPiyiE6u8HDfZsDS13NBQ==",
-      "signed_at": "2026-05-15T07:53:22.496Z"
+      "signed_at": "2026-05-15T18:43:22.169Z"
     },
     {
       "name": "api-security",
@@ -1705,7 +1705,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ad1pHD4QQ8uXkhrzqLuWgnDpESOapzx3qGFchU9rxiX1aeLQkYKwpDzqIItFq82B5xjNsW7g5jXlF1sgK2HmCA==",
-      "signed_at": "2026-05-15T07:53:22.497Z"
+      "signed_at": "2026-05-15T18:43:22.170Z"
     },
     {
       "name": "cloud-security",
@@ -1786,7 +1786,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "UEn0305KAEqIfYOdzadLBdPG/PJ+3sJ/8ubvPFNcXfqXp2uOWTfqGUqY65PApA992VEEa1RBQt5R7Nyhd/OjDQ==",
-      "signed_at": "2026-05-15T07:53:22.497Z"
+      "signed_at": "2026-05-15T18:43:22.170Z"
     },
     {
       "name": "container-runtime-security",
@@ -1848,7 +1848,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "4easZDYn25XK4E9MRnwnZohG3xdYMmOLlPznNVmr1ykNfB+343+ooj+R0quG8uEV/IqbTQpR1ink35K6jCghCg==",
-      "signed_at": "2026-05-15T07:53:22.497Z"
+      "signed_at": "2026-05-15T18:43:22.170Z"
     },
     {
       "name": "mlops-security",
@@ -1919,7 +1919,7 @@
         "MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
       ],
       "signature": "chbPWzjfx92OjEAwMIm+J4GObxy8uwTahNBvbhMfYL7vTAJe/lf2BaW8wUpchpMIwYL0985A/+WykH8zmk/DBA==",
-      "signed_at": "2026-05-15T07:53:22.498Z"
+      "signed_at": "2026-05-15T18:43:22.171Z"
     },
     {
       "name": "incident-response-playbook",
@@ -1981,7 +1981,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "3V7kvM5cxXdCBoMnjvOoTvT3zD+/yZEBHYgiunYQe8tBm+vVnS4jCz1Nzv/ymePIfbYDo/PlzKeGTWStSsGiAg==",
-      "signed_at": "2026-05-15T07:53:22.498Z"
+      "signed_at": "2026-05-15T18:43:22.171Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2034,7 +2034,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "RiCryJEd66T2NNcSo/mZTd3sGWDycE3C37guLJanLdVL5co35DrPFmIl8qy3ZM/y+Wzg5vpny8VKgr1//1/bCA==",
-      "signed_at": "2026-05-15T07:53:22.498Z"
+      "signed_at": "2026-05-15T18:43:22.171Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2102,11 +2102,11 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "MMWvg3lIf5ygm31zyf1E43t3W9MfRbMBBPrqlj1wOa8AxVJL8LICnAXfmyJ/TNJXwpF+rfZeDdoxXkql8wmtBA==",
-      "signed_at": "2026-05-15T07:53:22.499Z"
+      "signed_at": "2026-05-15T18:43:22.172Z"
     }
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "Q4vCqveC4hR456ZIREhS/mkROsV2BoKpEsPJACcmDf5zLygdaMSOjbE2m5lHs36drQ8IOEIz98jwU/8UeEqrDg=="
+    "signature_base64": "cPGW0KS8nz/Ui3nikDkK9CPx6CSgsvhCUUJXxdGttw4Jo14IdD/fis0fJ/v5T65b6JQ4/GWzYnUvRUwIW2dSDg=="
   }
 }

package/package.json

@@ -1,16 +1,19 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.12.23",
+  "version": "0.12.24",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
   "keywords": [
     "ai-security",
     "ai-skills",
     "atlas",
     "att-ck",
+    "attestation",
     "compliance",
+    "csaf-2.0",
     "cve",
     "cwe",
     "d3fend",
+    "ed25519",
     "framework-gap",
     "grc",
     "kev",
@@ -18,8 +21,11 @@
     "mcp",
     "nist",
     "nvd",
+    "openvex",
     "prompt-injection",
+    "provenance",
     "rwep",
+    "sarif",
     "security-research",
     "skills",
     "supply-chain",
@@ -37,7 +43,7 @@
   "license": "Apache-2.0",
   "author": "blamejs contributors",
   "engines": {
-    "node": ">=24.0.0"
+    "node": ">=22.11.0"
   },
   "bin": {
     "exceptd": "bin/exceptd.js"

package/sbom.cdx.json

@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:9c7d3929-21bf-46a7-8618-e8453efc188b",
+  "serialNumber": "urn:uuid:c4aac98a-f333-41f2-9e96-3a738d7dabda",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-15T07:53:30.040Z",
+    "timestamp": "2026-05-15T18:43:23.703Z",
     "tools": [
       {
         "name": "hand-written",
@@ -13,10 +13,10 @@
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.12.23",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.12.24",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.12.23",
+      "version": "0.12.24",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
       "licenses": [
         {
@@ -25,11 +25,11 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.12.23",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.12.24",
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.12.23"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.12.24"
         },
         {
           "type": "vcs",

package/scripts/check-test-coverage.js

@@ -448,6 +448,57 @@ function coversCveIoc(corpus, cveId) {
 
 // --- Main analyzer ----------------------------------------------------------
 
+// --- Class-level lint: ban coincidence-passing notEqual(r.status, 0) --------
+//
+// CLAUDE.md anti-coincidence rule: every exit-code assertion must pin the
+// EXACT code. `assert.notEqual(r.status, 0)` silently passes when an
+// unrelated failure produces ANY non-zero exit, hiding the regression the
+// test was meant to catch. This lint walks tests/*.test.js and rejects the
+// pattern outright. The `// allow-notEqual: <reason>` opt-out on the same
+// line is the escape hatch for genuine refusal-pins (asserting NOT a
+// specific code) — those must justify themselves inline.
+//
+// Pattern hits any of:
+//   assert.notEqual(r.status, 0)
+//   assert.notEqual(result.status, 0, '...')
+//   assert.notEqual(foo.status, 2, 'must not be unknown-cmd')   ← also refused
+// unless the same line ends with `// allow-notEqual: <reason>`.
+//
+// Cycle 8 JJJ: pre-fix, this class was a per-instance hunt across 25+ test
+// sites. Moving it to a structural lint keeps new tests / new ports from
+// regressing. Fix the class, not the instance (CLAUDE.md pitfall).
+function scanForCoincidenceAsserts(cwd) {
+  const out = [];
+  const testsDir = path.join(cwd, "tests");
+  if (!fs.existsSync(testsDir)) return out;
+  // Match `assert.notEqual( <ident>.status` — the receiver name varies
+  // (r, r1, result, child, etc.) but the .status access is the signal.
+  const banRe = /assert\.notEqual\s*\(\s*[A-Za-z_$][\w$]*\.status\b/;
+  const allowRe = /\/\/\s*allow-notEqual\s*:/;
+  const skipPrefix = "_helpers"; // helpers may legitimately reference the pattern
+  for (const entry of fs.readdirSync(testsDir, { withFileTypes: true })) {
+    if (!entry.isFile()) continue;
+    if (entry.name.startsWith(skipPrefix)) continue;
+    if (!entry.name.endsWith(".test.js")) continue;
+    const filePath = path.join(testsDir, entry.name);
+    let body;
+    try { body = fs.readFileSync(filePath, "utf8"); }
+    catch { continue; }
+    const lines = body.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (!banRe.test(line)) continue;
+      if (allowRe.test(line)) continue;
+      out.push({
+        file: path.join("tests", entry.name).replace(/\\/g, "/"),
+        line: i + 1,
+        snippet: line.trim(),
+      });
+    }
+  }
+  return out;
+}
+
 function analyze(opts) {
   const cwd = opts.repo || ROOT;
   // v0.12.8: resolve the diff anchor ONCE and thread it through every
@@ -526,6 +577,21 @@ function analyze(opts) {
     }
   }
 
+  // Class-level lint: ban `notEqual(<ident>.status, N)` outside of
+  // refusal-pin allowlist comments. Runs irrespective of the diff —
+  // a coincidence-passing assert that lands via a non-test-coverage
+  // path (someone hand-edits a tests/ file in a docs-only commit) is
+  // still a regression vector the gate must catch.
+  const coincidenceFindings = scanForCoincidenceAsserts(cwd);
+  for (const f of coincidenceFindings) {
+    findings.push({
+      file: f.file,
+      kind: "coincidence-assert",
+      surface: f.snippet,
+      change: `line ${f.line}: pin to exact exit code; see CLAUDE.md anti-coincidence rule. Opt out only with \`// allow-notEqual: <reason>\` on the same line for genuine refusal-pins.`,
+    });
+  }
+
   return { findings, allowlisted, manualReview, totalChanged: changed.length };
 }
 
@@ -595,5 +661,6 @@ module.exports = {
   analyze, parseArgs, categorize,
   extractCliSurface, extractLibExports, extractPlaybookIds, extractCveIocChanges,
   coversCliVerb, coversCliFlag, coversLibExport, coversPlaybookId, coversCveIoc,
+  scanForCoincidenceAsserts,
   DOCS_ALWAYS_GREEN,
 };

package/scripts/verify-shipped-tarball.js

@@ -300,6 +300,15 @@ try {
     const liveFpLine = `SHA256:${pubFp}`;
     if (firstLine !== liveFpLine) {
       if (process.env.KEYS_ROTATED === "1") {
+        // Surface the override through the structured warning channel as
+        // well so any caller listening on `process.on('warning')` can
+        // observe the key-rotation acceptance. Matches the three peer
+        // sites (bin/exceptd.js, lib/refresh-network.js, lib/verify.js).
+        process.emitWarning(
+          `extracted public.pem fingerprint ${liveFpLine} differs from pin ${firstLine}; KEYS_ROTATED=1 accepted. ` +
+          `Update keys/EXPECTED_FINGERPRINT to lock the new pin.`,
+          { code: "EXCEPTD_KEYS_ROTATED_OVERRIDE" }
+        );
         emit(`WARN: extracted public.pem fingerprint ${liveFpLine} differs from pin ${firstLine}; KEYS_ROTATED=1 accepted`);
       } else {
         fail(